lk启动流程详细分析
生活随笔
收集整理的這篇文章主要介紹了
lk启动流程详细分析
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
轉(zhuǎn)載請(qǐng)注明來(lái)源:cuixiaolei的技術(shù)博客
?
?
這篇文章是lk啟動(dòng)流程分析(以高通為例),將會(huì)詳細(xì)介紹下面的內(nèi)容:
1).正常開(kāi)機(jī)引導(dǎo)流程
2).recovery引導(dǎo)流程
3).fastboot引導(dǎo)流程
4).ffbm引導(dǎo)流程
5).lk向kernel傳參
?
start----------------------------------------
?
在bootable/bootloader/lk/arch/arm/crt0.S文件中有下面代碼,所以從kmain()開(kāi)始介紹
bl kmainkmain函數(shù)位于bootable/bootloader/lk/kernel/main.c
/* called from crt0.S */ void kmain(void) __NO_RETURN __EXTERNALLY_VISIBLE; void kmain(void) {// get us into some sort of thread context thread_init_early(); ? ? ? ? ?//初始化線程上下文#ifdef FEATURE_AFTER_SALE_LOG_LK// do console early init console_init_early(); ? ? ? ? ?//初始化控制臺(tái) #endif// early arch stuff arch_early_init(); ? ? ? ? ?//架構(gòu)初始化,如關(guān)閉cache,使能mmu// do any super early platform initialization platform_early_init(); ? ? ? ? //平臺(tái)早期初始化// do any super early target initialization target_early_init(); ? ? ? ? ? ? ? //目標(biāo)設(shè)備早期初始化,初始化串口dprintf(INFO, "welcome to lk\n\n");bs_set_timestamp(BS_BL_START); ? ? ? ? ? // deal with any static constructorsdprintf(SPEW, "calling constructors\n");call_constructors();// bring up the kernel heapdprintf(SPEW, "initializing heap\n");heap_init(); ? ? ? ? ? ? ? ? ? ? ?//堆初始化__stack_chk_guard_setup();// initialize the threading systemdprintf(SPEW, "initializing threads\n");thread_init(); ? ? ? ? ? ? ? ? ? ? //線程初始化#ifdef FEATURE_AFTER_SALE_LOG_LK// initialize the console layer dprintf(SPEW, "initializing console layer\n");console_init(); ? ? ? ? ? //初始化控制臺(tái) #endif// initialize the dpc systemdprintf(SPEW, "initializing dpc\n");dpc_init(); ? ? ? ? ? ? ? ? ? ? ? ?//lk系統(tǒng)控制器初始化// initialize kernel timersdprintf(SPEW, "initializing timers\n");timer_init(); ? ? ? ? ? ? ? ?//kernel時(shí)鐘初始化#if (!ENABLE_NANDWRITE)// create a thread to complete system initializationdprintf(SPEW, "creating bootstrap completion thread\n");thread_resume(thread_create("bootstrap2", &bootstrap2, NULL, DEFAULT_PRIORITY, DEFAULT_STACK_SIZE)); ? ? //創(chuàng)建一個(gè)線程初始化系統(tǒng)// enable interrupts exit_critical_section(); ? ? ? //使能中斷// become the idle thread thread_become_idle(); ? ? ?//本線程切換成idle線程,idle為空閑線程,當(dāng)沒(méi)有更高優(yōu)先級(jí)的線程時(shí)才執(zhí)行 #elsebootstrap_nandwrite(); #endif } arch_early_init()負(fù)責(zé)使能內(nèi)存管理單元mmu bootable/bootloader/lk/arch/arm/arch.c void arch_early_init(void) {/* turn off the cache */arch_disable_cache(UCACHE); ? ? ?//關(guān)閉cache/* set the vector base to our exception vectors so we dont need to double map at 0 */ #if ARM_CPU_CORTEX_A8set_vector_base(MEMBASE); ? ? ? //設(shè)置異常向量基地址 #endif#if ARM_WITH_MMUarm_mmu_init(); ? ? ? //使能mmu#endif/* turn the cache back on */arch_enable_cache(UCACHE); ? ? ?//打開(kāi)cache#if ARM_WITH_NEON/* enable cp10 and cp11 */uint32_t val;__asm__ volatile("mrc p15, 0, %0, c1, c0, 2" : "=r" (val));val |= (3<<22)|(3<<20);__asm__ volatile("mcr p15, 0, %0, c1, c0, 2" :: "r" (val));isb();/* set enable bit in fpexc */__asm__ volatile("mrc p10, 7, %0, c8, c0, 0" : "=r" (val));val |= (1<<30);__asm__ volatile("mcr p10, 7, %0, c8, c0, 0" :: "r" (val)); #endif#if ARM_CPU_CORTEX_A8/* enable the cycle count register */uint32_t en;__asm__ volatile("mrc p15, 0, %0, c9, c12, 0" : "=r" (en));en &= ~(1<<3); /* cycle count every cycle */en |= 1; /* enable all performance counters */__asm__ volatile("mcr p15, 0, %0, c9, c12, 0" :: "r" (en));/* enable cycle counter */en = (1<<31);__asm__ volatile("mcr p15, 0, %0, c9, c12, 1" :: "r" (en)); #endif } platform_early_init()平臺(tái)早期初始化,初始化平臺(tái)的時(shí)鐘和主板 bootable\bootloader\lk\platform\msm8952\platform.cvoid platform_early_init(void) {board_init(); //主板初始化platform_clock_init(); //時(shí)鐘初始化 qgic_init();qtimer_init(); }
?
從代碼可知,會(huì)創(chuàng)建一個(gè)bootstrap2線程,并使能中斷
static int bootstrap2(void *arg) {dprintf(SPEW, "top of bootstrap2()\n");arch_init(); ? ? //架構(gòu)初始化,此函數(shù)為空,什么都沒(méi)做// XXX put this somewhere else #if WITH_LIB_BIObio_init(); #endif #if WITH_LIB_FSfs_init(); #endif// initialize the rest of the platformdprintf(SPEW, "initializing platform\n");platform_init(); ? ? ? ? ? // 平臺(tái)初始化,不同的平臺(tái)要做的事情不一樣,可以是初始化系統(tǒng)時(shí)鐘,超頻等// initialize the targetdprintf(SPEW, "initializing target\n");target_init(); ? ? ? ? ? ?//目標(biāo)設(shè)備初始化,主要初始化Flash,整合分區(qū)表等dprintf(SPEW, "calling apps_init()\n");apps_init(); ? ? ? ? ? //應(yīng)用功能初始化,主要調(diào)用boot_init,啟動(dòng)kernel,加載boot/recovery鏡像等return 0; }apps_init()通過(guò)下面方式進(jìn)入aboot_init()函數(shù)
APP_START(aboot)
.init = aboot_init,
APP_END
?
?
從這里開(kāi)始是這篇文章的重點(diǎn),分析aboot.c文件。每個(gè)項(xiàng)目的文件可能會(huì)有不同,但是差別會(huì)很小。
bootable/bootloader/lk/app/aboot/aboot.cvoid aboot_init(const struct app_descriptor *app) {unsigned reboot_mode = 0;unsigned restart_reason = 0;unsigned hard_reboot_mode = 0;bool boot_into_fastboot = false;uint8_t pon_reason = pm8950_get_pon_reason(); //pm8950_get_pon_reason() 獲取開(kāi)機(jī)原因/* Setup page size information for nv storage */if (target_is_emmc_boot()) ? ? ? ? ? ? //檢測(cè)是emmc還是flash存儲(chǔ),并設(shè)置頁(yè)大小,一般是2048{page_size = mmc_page_size();page_mask = page_size - 1;}else{page_size = flash_page_size();page_mask = page_size - 1;}ASSERT((MEMBASE + MEMSIZE) > MEMBASE); ? ? ? ? ? //斷言,如果內(nèi)存基地址+內(nèi)存大小小于內(nèi)存基地址,則直接終止錯(cuò)誤read_device_info(&device); ? ? ? ? ? ? ? ? //從devinfo分區(qū)表read data到device結(jié)構(gòu)體 ? ? ? ? ? ?read_allow_oem_unlock(&device); ? ? ? ? ? ?//devinfo分區(qū)里記錄了unlock狀態(tài),從device中讀取此信息/* Display splash screen if enabled */if (!check_alarm_boot()) { ? ? ? ? ??dprintf(SPEW, "Display Init: Start\n");target_display_init(device.display_panel); ? ? ? ? ?//顯示splash,Splash也就是應(yīng)用程序啟動(dòng)之前先啟動(dòng)一個(gè)畫(huà)面,上面簡(jiǎn)單的介紹應(yīng)用程序的廠商,廠商的LOGO,名稱和版本等信息,多為一張圖片? ? ?dprintf(SPEW, "Display Init: Done\n");}#ifdef FEATURE_LOW_POWER_DISP_LKif(is_low_voltage) { ? ? ? ? ? //如果電量低,則顯示關(guān)機(jī)動(dòng)畫(huà),并關(guān)閉設(shè)備mdelay(2000);//target_uninit(); target_display_shutdown();shutdown_device();} #endifis_alarm_boot = check_alarm_boot(); ? ? ? ? ? ? ? ? ? ? ? ? ? //檢測(cè)開(kāi)機(jī)原因是否是由于關(guān)機(jī)鬧鐘導(dǎo)致target_serialno((unsigned char *) sn_buf);dprintf(SPEW,"serial number: %s\n",sn_buf);memset(display_panel_buf, '\0', MAX_PANEL_BUF_SIZE); ? ? ?/** Check power off reason if user force reset,* if yes phone will do normal boot.*/if (is_user_force_reset()) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?//如果強(qiáng)制重啟,直接進(jìn)入normal_bootgoto normal_boot;dprintf(ALWAYS, "pon_reason=0x%02x\n", pon_reason);/* Check if we should do something other than booting up */if ( (pon_reason & USB_CHG) ? ? ? ? ? ? ? ? //啟動(dòng)原因是插上USB,并且用戶同時(shí)按住了音量上下鍵,進(jìn)入下載模式&& (keys_get_state(KEY_VOLUMEUP) && keys_get_state(KEY_VOLUMEDOWN))){display_dloadimage_on_screen(); ? ? ? ? ?//顯示下載模式圖片volume_keys_init(); ? ? ? ? ? ? //初始化音量按鍵int i = 0;int j = 0;int k = 0;dload_flag = 1 ;while(1) ? ? ? ? ? ?//進(jìn)入下載模式后,通過(guò)不同的按鍵組合進(jìn)入不同的模式,下面的代碼邏輯很簡(jiǎn)單,就不介紹了{(lán)thread_sleep(200);//dprintf(ALWAYS, "in while circle\n");if ( check_volume_up_key() && !check_volume_down_key() && !check_power_key() ){/* Hold volume_up_key 3 sec to download mode, if not enough, need to hold another 3 sec. */for(i = 0;i < 15;++i){thread_sleep(200);if (!check_volume_up_key()){dprintf(ALWAYS, "press volume_up not enough time\n");break;}}if(i == 15){break;}}else if (check_power_key() && !check_volume_up_key() && !check_volume_down_key()){/* Hold power_key 1 sec to normal boot, if not enough, need to hold another 1 sec. */for(j = 0;j < 5;++j){thread_sleep(200);if (!check_power_key()){//dprintf(ALWAYS, "press power_key not enough time\n");break;}}if(j == 5){goto normal_boot;}}else if (!check_volume_down_key() && !check_volume_up_key() && !check_power_key()){/* Hold no key and go to normal boot 30 sec later. */for(k = 0;k < 150;++k){thread_sleep(200);if (check_power_key() || check_volume_up_key()){//dprintf(ALWAYS, "press nothing\n");break;}}if(k == 150){//dprintf(ALWAYS, "goto normal_boot\n");goto normal_boot;}}}dprintf(CRITICAL,"dload mode key sequence detected\n");if (set_download_mode(EMERGENCY_DLOAD)){dprintf(CRITICAL,"dload mode not supported by target\n");}else{reboot_device(DLOAD);dprintf(ALWAYS,"Failed to reboot into dload mode\n");}boot_into_fastboot = true; ? ? ? ? //下載模式本質(zhì)上是進(jìn)入fastboot}if (!boot_into_fastboot) ? ?//如果不是通過(guò)usb+上下鍵進(jìn)入下載模式{if (keys_get_state(KEY_HOME) || (keys_get_state(KEY_VOLUMEUP) && !keys_get_state(KEY_VOLUMEDOWN))) //上鍵+電源鍵 進(jìn)入recovery模式 {boot_into_recovery = 1;struct recovery_message msg;strcpy(msg.recovery, "recovery\n--show_text");}if (!boot_into_recovery &&(keys_get_state(KEY_BACK) || (keys_get_state(KEY_VOLUMEDOWN) && !keys_get_state(KEY_VOLUMEUP)))) ? //下鍵+back鍵進(jìn)入fastboot模式,我的手機(jī)是有back實(shí)體鍵的boot_into_fastboot = true;}reboot_mode = check_reboot_mode(); ? ? ? ? ? ? ? ? ? ? ? ? ?//檢測(cè)開(kāi)機(jī)原因,并且修改相應(yīng)的標(biāo)志位hard_reboot_mode = check_hard_reboot_mode();if (reboot_mode == RECOVERY_MODE ||hard_reboot_mode == RECOVERY_HARD_RESET_MODE) {boot_into_recovery = 1;} else if(reboot_mode == FASTBOOT_MODE ||hard_reboot_mode == FASTBOOT_HARD_RESET_MODE) {boot_into_fastboot = true;} else if(reboot_mode == ALARM_BOOT ||hard_reboot_mode == RTC_HARD_RESET_MODE) {boot_reason_alarm = true;}else if (reboot_mode == DM_VERITY_ENFORCING){device.verity_mode = 1;write_device_info(&device);} else if(reboot_mode == DM_VERITY_LOGGING) {device.verity_mode = 0;write_device_info(&device);} else if(reboot_mode == DM_VERITY_KEYSCLEAR) {if(send_delete_keys_to_tz())ASSERT(0);}normal_boot:if(dload_flag){display_image_on_screen(); ? ? ? ? ? ? ? ? //顯示界面,上面提到過(guò)}if (!boot_into_fastboot) ?//如果不是fastboot模式{if (target_is_emmc_boot()){if(emmc_recovery_init())dprintf(ALWAYS,"error in emmc_recovery_init\n");if(target_use_signed_kernel()){if((device.is_unlocked) || (device.is_tampered)){#ifdef TZ_TAMPER_FUSEset_tamper_fuse_cmd();#endif#if USE_PCOM_SECBOOTset_tamper_flag(device.is_tampered);#endif}}boot_linux_from_mmc(); ? ? //程序會(huì)跑到這里,又一個(gè)重點(diǎn)內(nèi)容,下面會(huì)獨(dú)立分析這個(gè)函數(shù)。}else{recovery_init();#if USE_PCOM_SECBOOTif((device.is_unlocked) || (device.is_tampered))set_tamper_flag(device.is_tampered);#endifboot_linux_from_flash();}dprintf(CRITICAL, "ERROR: Could not do normal boot. Reverting ""to fastboot mode.\n");}
? ? //下面的代碼是fastboot的準(zhǔn)備工作,從中可以看出,進(jìn)入fastboot模式是不啟動(dòng)kernel的
/* We are here means regular boot did not happen. Start fastboot. *//* register aboot specific fastboot commands */aboot_fastboot_register_commands(); ? ? //注冊(cè)fastboot命令,建議看下此函數(shù)的源碼,此函數(shù)是fastboot支持的命令,如flash、erase等等/* dump partition table for debug info */partition_dump();/* initialize and start fastboot */fastboot_init(target_get_scratch_address(), target_get_max_flash_size()); ? ? //初始化fastboot #if FBCON_DISPLAY_MSGdisplay_fastboot_menu_thread(); ? ? ? ? //顯示fastboot界面 #endif }
關(guān)于device_info,這里多說(shuō)一點(diǎn)
devinfo Device information including:iis_unlocked, is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_versionAll these attirbutes are set based on some specific conditions and written on devinfo partition.devinfo是一個(gè)獨(dú)立的分區(qū),里面存放了下面的一些信息,上面是高通對(duì)這個(gè)分區(qū)的介紹。
struct device_info {unsigned char magic[DEVICE_MAGIC_SIZE];bool is_unlocked;bool is_tampered;bool is_verified;bool charger_screen_enabled;char display_panel[MAX_PANEL_ID_LEN];char bootloader_version[MAX_VERSION_LEN];char radio_version[MAX_VERSION_LEN]; };
?從上面的分析,我們大致可以知道boot_init()主要工作
1).確定page_size大小;
2).從devinfo分區(qū)獲取devinfo信息;
3).通過(guò)不同按鍵選擇設(shè)置對(duì)應(yīng)標(biāo)志位boot_into_xxx;
4).如果進(jìn)入fastboot模式,初始化fastboot命令等。
5).進(jìn)入boot_linux_from_mmc()函數(shù)。
?
?
下面分析lk啟動(dòng)過(guò)程中另一個(gè)重要的函數(shù)boot_linux_from_mmc();它主要負(fù)責(zé)根據(jù)boot_into_xxx從對(duì)應(yīng)的分區(qū)內(nèi)讀取相關(guān)信息并傳給kernel,然后引導(dǎo)kernel。
程序走到這,說(shuō)成沒(méi)有進(jìn)入fastboot模式,可能的情況有:正常啟動(dòng),進(jìn)入recovery,開(kāi)機(jī)鬧鐘啟動(dòng)。
boot_linux_from_mmc()主要做下面的事情?
1).程序會(huì)從boot分區(qū)或者recovery分區(qū)的header中讀取地址等信息,然后把kernel、ramdisk加載到內(nèi)存中。
2).程序會(huì)從misc分區(qū)中讀取bootloader_message結(jié)構(gòu)體,如果有boot-recovery,則進(jìn)入recovery模式
3).更新cmdline,然后把cmdline寫(xiě)到tags_addr地址,把參數(shù)傳給kernel,kernel起來(lái)以后會(huì)到這個(gè)地址讀取參數(shù)。
int boot_linux_from_mmc(void) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? {struct boot_img_hdr *hdr = (void*) buf; ? ? ? //************buf和hdr指向相同的地址,可以理解為buf就是hdrstruct boot_img_hdr *uhdr;unsigned offset = 0;int rcode;unsigned long long ptn = 0;int index = INVALID_PTN;unsigned char *image_addr = 0;unsigned kernel_actual;unsigned ramdisk_actual;unsigned imagesize_actual;unsigned second_actual = 0;unsigned int dtb_size = 0;unsigned int out_len = 0;unsigned int out_avai_len = 0;unsigned char *out_addr = NULL;uint32_t dtb_offset = 0;unsigned char *kernel_start_addr = NULL;unsigned int kernel_size = 0;int rc;#if DEVICE_TREE ? ? ? ? ? ? ? ? ? ?struct dt_table *table;struct dt_entry dt_entry;unsigned dt_table_offset;uint32_t dt_actual;uint32_t dt_hdr_size;unsigned char *best_match_dt_addr = NULL; #endifstruct kernel64_hdr *kptr = NULL;if (check_format_bit()) ? ? ? ? ? ? ? ? ? ? ? ?//查找bootselect分區(qū),查看分區(qū)表,沒(méi)有此分區(qū),所以返回值為falseboot_into_recovery = 1;if (!boot_into_recovery) { ? ? ? ? ? ? ? ? ? ? //此時(shí)有兩種可能,正常開(kāi)機(jī)/進(jìn)入ffbm工廠測(cè)試模式,進(jìn)入工廠測(cè)試模式是正行啟動(dòng),但是向kernel傳參會(huì)多一個(gè)字符串"androidboot.mode='ffbm_mode_string'" memset(ffbm_mode_string, '\0', sizeof(ffbm_mode_string)); ? ? //ffbm_mode_string = ""rcode = get_ffbm(ffbm_mode_string, sizeof(ffbm_mode_string)); ?//從misc分區(qū)0地址中讀取sizeof(ffbm_mode_string)的內(nèi)容,如果內(nèi)容是"ffbm-",返回1,否則返回0if (rcode <= 0) {boot_into_ffbm = false;if (rcode < 0)dprintf(CRITICAL,"failed to get ffbm cookie");} elseboot_into_ffbm = true;} else ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? //boot_into_recovery=trueboot_into_ffbm = false;uhdr = (struct boot_img_hdr *)EMMC_BOOT_IMG_HEADER_ADDR; ? ? ? ? ? //uhdr指向boot分區(qū)header地址,header是什么東西,下面會(huì)詳細(xì)介紹if (!memcmp(uhdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) { ? ? ?//檢查uhdr->magic 是否等于 "ANDROID!",不知到為什么要這么做,覺(jué)的沒(méi)有什么作用dprintf(INFO, "Unified boot method!\n");hdr = uhdr;goto unified_boot;}if (!boot_into_recovery) { ? ?//如果不是recovery模式,可能是正常啟動(dòng)或者進(jìn)入ffbm,再次生命ffbm和正常啟動(dòng)流程一樣啟動(dòng)kernel,只是kernel起來(lái)以后,init.c文件會(huì)讀取是否有"ffbm-"index = partition_get_index("boot"); ? ? ? ? //讀取boot分區(qū)ptn = partition_get_offset(index); ? ? ?//讀取boot分區(qū)的偏移量if(ptn == 0) {dprintf(CRITICAL, "ERROR: No boot partition found\n");return -1;}}else {index = partition_get_index("recovery"); ? ? ? ?//進(jìn)入recovery模式,讀取recovery分區(qū),并獲得recovery分區(qū)的偏移量。recovery.img和boot.img的組成是一樣的,下面有介紹ptn = partition_get_offset(index);if(ptn == 0) {dprintf(CRITICAL, "ERROR: No recovery partition found\n");return -1;}}/* Set Lun for boot & recovery partitions */mmc_set_lun(partition_get_lun(index)); ? ? ? ?if (mmc_read(ptn + offset, (uint32_t *) buf, page_size)) { ? ? ? ? ? ? ? ? //從boot/recovery分區(qū)讀取1字節(jié)的內(nèi)容到buf(hdr)中,我們知道在boot/recovery中開(kāi)始的1字節(jié)存放的是hdr的內(nèi)容,下面有詳細(xì)的介紹。dprintf(CRITICAL, "ERROR: Cannot read boot image header\n");return -1;}if (memcmp(hdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) { ? ? ? ? ? ? ? ? ? //上面已經(jīng)從boot/recovery分區(qū)讀取了header到hdr,這里對(duì)比magic是否等于"ANDROID!",如果不是,則表明讀取的header是錯(cuò)誤的,也算是校驗(yàn)吧dprintf(CRITICAL, "ERROR: Invalid boot image header\n");return -1;}if (hdr->page_size && (hdr->page_size != page_size)) { ? ? ? ? ? ? ? ? ? //比較也的大小是否相同,應(yīng)該都是相同的2048字節(jié)if (hdr->page_size > BOOT_IMG_MAX_PAGE_SIZE) {dprintf(CRITICAL, "ERROR: Invalid page size\n");return -1;}page_size = hdr->page_size;page_mask = page_size - 1;}/* ensure commandline is terminated */hdr->cmdline[BOOT_ARGS_SIZE-1] = 0; ? ? ? ??kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask); ? ? ? ? ?//kernel所占的頁(yè)的總大小? ? ? ?例如kernel大小0x01,kernel_actual = 2048ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask); ? ? ? ? ?//ramdisk所占的頁(yè)的總大小image_addr = (unsigned char *)target_get_scratch_address(); ? ? ? ? ? ?#if DEVICE_TREEdt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask); ? ? //dt所占的頁(yè)的大小imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual); ? ? ? ? ?//image占的頁(yè)的總大小 #elseimagesize_actual = (page_size + kernel_actual + ramdisk_actual); #endif#if VERIFIED_BOOTboot_verifier_init(); ? //校驗(yàn)boot #endifif (check_aboot_addr_range_overlap((uint32_t) image_addr, imagesize_actual)) ? ? ? //校驗(yàn)image_addr是否被覆蓋{dprintf(CRITICAL, "Boot image buffer address overlaps with aboot addresses.\n");return -1;}/** Update loading flow of bootimage to support compressed/uncompressed* bootimage on both 64bit and 32bit platform.* 1. Load bootimage from emmc partition onto DDR.* 2. Check if bootimage is gzip format. If yes, decompress compressed kernel* 3. Check kernel header and update kernel load addr for 64bit and 32bit* platform accordingly.* 4. Sanity Check on kernel_addr and ramdisk_addr and copy data.*/dprintf(INFO, "Loading boot image (%d): start\n", imagesize_actual);bs_set_timestamp(BS_KERNEL_LOAD_START);/* Read image without signature */if (mmc_read(ptn + offset, (void *)image_addr, imagesize_actual)) ? ? ? ?//讀取boot/recovery分區(qū)到image_addr{dprintf(CRITICAL, "ERROR: Cannot read boot image\n");return -1;}dprintf(INFO, "Loading boot image (%d): done\n", imagesize_actual);bs_set_timestamp(BS_KERNEL_LOAD_DONE);/* Authenticate Kernel */dprintf(INFO, "use_signed_kernel=%d, is_unlocked=%d, is_tampered=%d.\n",(int) target_use_signed_kernel(),device.is_unlocked,device.is_tampered);if(target_use_signed_kernel() && (!device.is_unlocked)) ? ? ? ? ? ? ? //這里是false ,感興趣可以追target_use_signed_kernel(),會(huì)發(fā)現(xiàn)這個(gè)函數(shù)返回的是0{offset = imagesize_actual;uhdr->magicif (check_aboot_addr_range_overlap((uint32_t)image_addr + offset, page_size)){dprintf(CRITICAL, "Signature read buffer address overlaps with aboot addresses.\n");return -1;}/* Read signature */if(mmc_read(ptn + offset, (voidffbm_mode_string *)(image_addr + offset), page_size)){dprintf(CRITICAL, "ERROR: Cannot read boot image signature\n");return -1;}verify_signed_bootimg((uint32_t)image_addr, imagesize_actual);} else {second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask); ? ??#ifdef TZ_SAVE_KERNEL_HASHaboot_save_boot_hash_mmc((uint32_t) image_addr, imagesize_actual);#endif /* TZ_SAVE_KERNEL_HASH */#if VERIFIED_BOOTif(boot_verify_get_state() == ORANGE) ? ?//校驗(yàn)boot{ #if FBCON_DISPLAY_MSGdisplay_bootverify_menu_thread(DISPLAY_MENU_ORANGE);wait_for_users_action(); #elsedprintf(CRITICAL,"Your device has been unlocked and can't be trusted.\nWait for 5 seconds before proceeding\n");mdelay(5000); #endifset_root_flag(ORANGE,1);} #endif#ifdef MDTP_SUPPORT{/* Verify MDTP lock.* For boot & recovery partitions, MDTP will use boot_verifier APIs,* since verification was skipped in aboot. The signature is not part of the loaded image.*/mdtp_ext_partition_verification_t ext_partition;ext_partition.partition = boot_into_recovery ? MDTP_PARTITION_RECOVERY : MDTP_PARTITION_BOOT;ext_partition.integrity_state = MDTP_PARTITION_STATE_UNSET;ext_partition.page_size = page_size;ext_partition.image_addr = (uint32)image_addr;ext_partition.image_size = imagesize_actual;ext_partition.sig_avail = FALSE;mdtp_fwlock_verify_lock(&ext_partition);} #endif /* MDTP_SUPPORT */}#if VERIFIED_BOOT #if !VBOOT_MOTA// send root of trustif(!send_rot_command((uint32_t)device.is_unlocked))ASSERT(0); #endif #endif/** Check if the kernel image is a gzip package. If yes, need to decompress it.* If not, continue booting.*/? ? ? ?//檢測(cè)kernel image是否是gzip的包,如果是,解壓,如果不是,繼續(xù)boot。得到kernel的起始地址和大小
if (is_gzip_package((unsigned char *)(image_addr + page_size), hdr->kernel_size)){out_addr = (unsigned char *)(image_addr + imagesize_actual + page_size);out_avai_len = target_get_max_flash_size() - imagesize_actual - page_size;dprintf(INFO, "decompressing kernel image: start\n");rc = decompress((unsigned char *)(image_addr + page_size),hdr->kernel_size, out_addr, out_avai_len,&dtb_offset, &out_len);if (rc){dprintf(CRITICAL, "decompressing kernel image failed!!!\n");ASSERT(0);}dprintf(INFO, "decompressing kernel image: done\n");kptr = (struct kernel64_hdr *)out_addr;kernel_start_addr = out_addr;kernel_size = out_len;} else {kptr = (struct kernel64_hdr *)(image_addr + page_size);kernel_start_addr = (unsigned char *)(image_addr + page_size); ? //kernel_start起始地址kernel_size = hdr->kernel_size; //kernel大小}/** Update the kernel/ramdisk/tags address if the boot image header* has default values, these default values come from mkbootimg when* the boot image is flashed using fastboot flash:raw*/update_ker_tags_rdisk_addr(hdr, IS_ARM64(kptr)); //更新kernel/tags/ramdisk地址 ? /* Get virtual addresses since the hdr saves physical addresses. */hdr->kernel_addr = VA((addr_t)(hdr->kernel_addr)); ? ? ? ?//保存虛擬地址(mmu)hdr->ramdisk_addr = VA((addr_t)(hdr->ramdisk_addr));hdr->tags_addr = VA((addr_t)(hdr->tags_addr));kernel_size = ROUND_TO_PAGE(kernel_size, page_mask);/* Check if the addresses in the header are valid. */if (check_aboot_addr_range_overlap(hdr->kernel_addr, kernel_size) || ? ? ? ? ? ? ? ? ? ? ?//檢測(cè)kernel/ramdisk/tags地址是否超出emmc地址check_aboot_addr_range_overlap(hdr->ramdisk_addr, ramdisk_actual)){dprintf(CRITICAL, "kernel/ramdisk addresses overlap with aboot addresses.\n");return -1;}#ifndef DEVICE_TREEif (check_aboot_addr_range_overlap(hdr->tags_addr, MAX_TAGS_SIZE)){dprintf(CRITICAL, "Tags addresses overlap with aboot addresses.\n");return -1;} #endif/* Move kernel, ramdisk and device tree to correct address */memmove((void*) hdr->kernel_addr, kernel_start_addr, kernel_size); ? ? ? //把kernel/ramdisk放在相應(yīng)的地址上memmove((void*) hdr->ramdisk_addr, (char *)(image_addr + page_size + kernel_actual), hdr->ramdisk_size);#if DEVICE_TREE ? //讀取設(shè)備樹(shù)信息,放在相應(yīng)的地址上if(hdr->dt_size) {dt_table_offset = ((uint32_t)image_addr + page_size + kernel_actual + ramdisk_actual + second_actual);table = (struct dt_table*) dt_table_offset;if (dev_tree_validate(table, hdr->page_size, &dt_hdr_size) != 0) {dprintf(CRITICAL, "ERROR: Cannot validate Device Tree Table \n");return -1;}/* Find index of device tree within device tree table */if(dev_tree_get_entry_info(table, &dt_entry) != 0){dprintf(CRITICAL, "ERROR: Getting device tree address failed\n");return -1;}if (is_gzip_package((unsigned char *)dt_table_offset + dt_entry.offset, dt_entry.size)){unsigned int compressed_size = 0;out_addr += out_len;out_avai_len -= out_len;dprintf(INFO, "decompressing dtb: start\n");rc = decompress((unsigned char *)dt_table_offset + dt_entry.offset,dt_entry.size, out_addr, out_avai_len,&compressed_size, &dtb_size);if (rc){dprintf(CRITICAL, "decompressing dtb failed!!!\n");ASSERT(0);}dprintf(INFO, "decompressing dtb: done\n");best_match_dt_addr = out_addr;} else {best_match_dt_addr = (unsigned char *)dt_table_offset + dt_entry.offset;dtb_size = dt_entry.size;}/* Validate and Read device device tree in the tags_addr */if (check_aboot_addr_range_overlap(hdr->tags_addr, dtb_size)){dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.\n");return -1;}memmove((void *)hdr->tags_addr, (char *)best_match_dt_addr, dtb_size);} else {/* Validate the tags_addr */if (check_aboot_addr_range_overlap(hdr->tags_addr, kernel_actual)){dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.\n");return -1;}/** If appended dev tree is found, update the atags with* memory address to the DTB appended location on RAM.* Else update with the atags address in the kernel header*/void *dtb;dtb = dev_tree_appended((void*)(image_addr + page_size),hdr->kernel_size, dtb_offset,(void *)hdr->tags_addr);if (!dtb) {dprintf(CRITICAL, "ERROR: Appended Device Tree Blob not found\n");return -1;}}#endifif (boot_into_recovery && !device.is_unlocked && !device.is_tampered)target_load_ssd_keystore();unified_boot:boot_linux((void *)hdr->kernel_addr, (void *)hdr->tags_addr, ? ? ? ? ? //進(jìn)入boot_linux函數(shù),此函數(shù)比較簡(jiǎn)單,更新cmdline。(const char *)hdr->cmdline, board_machtype(),(void *)hdr->ramdisk_addr, hdr->ramdisk_size);return 0; }
如果misc分區(qū)的0地址內(nèi)容是"ffbm-",則boot_into_ffbm=true
int get_ffbm(char *ffbm, unsigned size) {const char *ffbm_cmd = "ffbm-";uint32_t page_size = get_page_size();char *ffbm_page_buffer = NULL;int retval = 0;if (size < FFBM_MODE_BUF_SIZE || size >= page_size){dprintf(CRITICAL, "Invalid size argument passed to get_ffbm\n");retval = -1;goto cleanup;}ffbm_page_buffer = (char*)malloc(page_size);if (!ffbm_page_buffer){dprintf(CRITICAL, "Failed to alloc buffer for ffbm cookie\n");retval = -1;goto cleanup;}if (read_misc(0, ffbm_page_buffer, page_size)){dprintf(CRITICAL, "Error reading MISC partition\n");retval = -1;goto cleanup;}ffbm_page_buffer[size] = '\0';if (strncmp(ffbm_cmd, ffbm_page_buffer, strlen(ffbm_cmd))){retval = 0;goto cleanup;}else{if (strlcpy(ffbm, ffbm_page_buffer, size) <FFBM_MODE_BUF_SIZE -1){dprintf(CRITICAL, "Invalid string in misc partition\n");retval = -1;}elseretval = 1;} cleanup:if(ffbm_page_buffer)free(ffbm_page_buffer);return retval; }?
boot.img和recovery.img的組成是一樣的,所以lk加載方式一樣,只是讀取的地址和大小不同而已。
我們看下boot.img和recovery.img鏡像里有什么,理解了這個(gè)再看lk加載boot.img/recovery.img就知道是怎么回事了:
** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | second stage | o pages ** +-----------------+ ** | device tree | p pages ** +-----------------+分析boot_img_hdr結(jié)構(gòu)提
kernel_size kernel表示zImage的實(shí)際大小
kernel_addr kernel的zImage載入內(nèi)存的物理地址,也是bootloader要跳轉(zhuǎn)的地址
ramdisk_size ramdisk的實(shí)際大小
ramdisk_addr ramdisk加載到內(nèi)存的實(shí)際物理地址,之后kernel會(huì)解壓并把它掛載成根文件系統(tǒng),我們的中樞神經(jīng)-init.rc就隱藏于內(nèi)
tags_addr ? ?tags_addr是傳參數(shù)用的物理內(nèi)存地址,它作用是把bootloader中的參數(shù)傳遞給kernel,參數(shù)放在這個(gè)地址上
page_size ? ?page_size是存儲(chǔ)芯片(ram/emmc)的頁(yè)大小,取決與存儲(chǔ)芯片
cmdline ? ? ?command line它可以由bootloader向kernel傳參的內(nèi)容,存放在tag_addr地址
second 可選 bootable/bootloader/lk/app/aboot/bootimg.h#ifndef _BOOT_IMAGE_H_ #define _BOOT_IMAGE_H_typedef struct boot_img_hdr boot_img_hdr;#define BOOT_MAGIC "ANDROID!" #define BOOT_MAGIC_SIZE 8 #define BOOT_NAME_SIZE 16 #define BOOT_ARGS_SIZE 512 #define BOOT_IMG_MAX_PAGE_SIZE 4096struct boot_img_hdr {unsigned char magic[BOOT_MAGIC_SIZE];unsigned kernel_size; /* size in bytes */unsigned kernel_addr; /* physical load addr */unsigned ramdisk_size; /* size in bytes */unsigned ramdisk_addr; /* physical load addr */unsigned second_size; /* size in bytes */unsigned second_addr; /* physical load addr */unsigned tags_addr; /* physical addr for kernel tags */unsigned page_size; /* flash page size we assume */unsigned dt_size; /* device_tree in bytes */unsigned unused; /* future expansion: should be 0 */unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */unsigned char cmdline[BOOT_ARGS_SIZE];unsigned id[8]; /* timestamp / checksum / sha1 / etc */ };/* ** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | second stage | o pages ** +-----------------+ ** | device tree | p pages ** +-----------------+ ** ** n = (kernel_size + page_size - 1) / page_size ** m = (ramdisk_size + page_size - 1) / page_size ** o = (second_size + page_size - 1) / page_size ** p = (dt_size + page_size - 1) / page_size ** 0. all entities are page_size aligned in flash ** 1. kernel and ramdisk are required (size != 0) ** 2. second is optional (second_size == 0 -> no second) ** 3. load each element (kernel, ramdisk, second) at ** the specified physical address (kernel_addr, etc) ** 4. prepare tags at tag_addr. kernel_args[] is ** appended to the kernel commandline in the tags. ** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr ** 6. if second_size != 0: jump to second_addr ** else: jump to kernel_addr */boot_img_hdr *mkbootimg(void *kernel, unsigned kernel_size,void *ramdisk, unsigned ramdisk_size,void *second, unsigned second_size,unsigned page_size,unsigned *bootimg_size);void bootimg_set_cmdline(boot_img_hdr *hdr, const char *cmdline); #define KERNEL64_HDR_MAGIC 0x644D5241 /* ARM64 */struct kernel64_hdr {uint32_t insn;uint32_t res1;uint64_t text_offset;uint64_t res2;uint64_t res3;uint64_t res4;uint64_t res5;uint64_t res6;uint32_t magic_64;uint32_t res7; };#endif
?
總結(jié)
以上是生活随笔為你收集整理的lk启动流程详细分析的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: AndroidVerifyBoot
- 下一篇: android 填满手机磁盘空间方法